From f756baacadc33683ad58cc8219ccaaafe75d4436 Mon Sep 17 00:00:00 2001
From: Pahud Hsieh <pahudnet@gmail.com>
Date: Wed, 11 Sep 2024 16:31:50 +0000
Subject: [PATCH 1/6] fix

---
 .../aws-cognito/lib/user-pool-idps/apple.ts   | 18 +++++++-
 .../{apple.ts => apple.test.ts}               | 45 +++++++++++++++++--
 2 files changed, 58 insertions(+), 5 deletions(-)
 rename packages/aws-cdk-lib/aws-cognito/test/user-pool-idps/{apple.ts => apple.test.ts} (68%)

diff --git a/packages/aws-cdk-lib/aws-cognito/lib/user-pool-idps/apple.ts b/packages/aws-cdk-lib/aws-cognito/lib/user-pool-idps/apple.ts
index 86d94c78726f7..80a32415de70a 100644
--- a/packages/aws-cdk-lib/aws-cognito/lib/user-pool-idps/apple.ts
+++ b/packages/aws-cdk-lib/aws-cognito/lib/user-pool-idps/apple.ts
@@ -2,6 +2,7 @@ import { Construct } from 'constructs';
 import { UserPoolIdentityProviderProps } from './base';
 import { CfnUserPoolIdentityProvider } from '../cognito.generated';
 import { UserPoolIdentityProviderBase } from './private/user-pool-idp-base';
+import { SecretValue } from '../../../core';
 
 /**
  * Properties to initialize UserPoolAppleIdentityProvider
@@ -22,8 +23,15 @@ export interface UserPoolIdentityProviderAppleProps extends UserPoolIdentityProv
   readonly keyId: string;
   /**
    * The privateKey content for Apple APIs to authenticate the client.
+   * 
+   * @deprecated use privateKeyValue
    */
-  readonly privateKey: string;
+  readonly privateKey?: string;
+  /**
+   * The privateKey content for Apple APIs to authenticate the client.
+   * 
+   */
+  readonly privateKeyValue?: SecretValue;
   /**
    * The list of apple permissions to obtain for getting access to the apple profile
    * @see https://developer.apple.com/documentation/sign_in_with_apple/clientconfigi/3230955-scope
@@ -44,6 +52,12 @@ export class UserPoolIdentityProviderApple extends UserPoolIdentityProviderBase
 
     const scopes = props.scopes ?? ['name'];
 
+    //at least one of the properties must be configured
+    if ((!props.privateKey && !props.privateKeyValue) ||
+      (props.privateKey && props.privateKeyValue)) {
+      throw new Error('Exactly one of "privateKey" or "privateKeyValue" must be configured.');
+    }
+
     const resource = new CfnUserPoolIdentityProvider(this, 'Resource', {
       userPoolId: props.userPool.userPoolId,
       providerName: 'SignInWithApple', // must be 'SignInWithApple' when the type is 'SignInWithApple'
@@ -52,7 +66,7 @@ export class UserPoolIdentityProviderApple extends UserPoolIdentityProviderBase
         client_id: props.clientId,
         team_id: props.teamId,
         key_id: props.keyId,
-        private_key: props.privateKey,
+        private_key: props.privateKeyValue ? props.privateKeyValue.unsafeUnwrap() : props.privateKey,
         authorize_scopes: scopes.join(' '),
       },
       attributeMapping: super.configureAttributeMapping(),
diff --git a/packages/aws-cdk-lib/aws-cognito/test/user-pool-idps/apple.ts b/packages/aws-cdk-lib/aws-cognito/test/user-pool-idps/apple.test.ts
similarity index 68%
rename from packages/aws-cdk-lib/aws-cognito/test/user-pool-idps/apple.ts
rename to packages/aws-cdk-lib/aws-cognito/test/user-pool-idps/apple.test.ts
index c38e5b16ee73b..b10466c09d6fa 100644
--- a/packages/aws-cdk-lib/aws-cognito/test/user-pool-idps/apple.ts
+++ b/packages/aws-cdk-lib/aws-cognito/test/user-pool-idps/apple.test.ts
@@ -1,5 +1,5 @@
 import { Template } from '../../../assertions';
-import { Stack } from '../../../core';
+import { Stack, SecretValue } from '../../../core';
 import { ProviderAttribute, UserPool, UserPoolIdentityProviderApple } from '../../lib';
 
 describe('UserPoolIdentityProvider', () => {
@@ -90,8 +90,8 @@ describe('UserPoolIdentityProvider', () => {
         keyId: 'CDKKEYCDK1',
         privateKey: 'PRIV_KEY_CDK',
         attributeMapping: {
-          familyName: ProviderAttribute.APPLE_LAST_NAME,
-          givenName: ProviderAttribute.APPLE_FIRST_NAME,
+          familyName: ProviderAttribute.APPLE_FIRST_NAME,
+          givenName: ProviderAttribute.APPLE_LAST_NAME,
           custom: {
             customAttr1: ProviderAttribute.APPLE_EMAIL,
             customAttr2: ProviderAttribute.other('sub'),
@@ -109,5 +109,44 @@ describe('UserPoolIdentityProvider', () => {
         },
       });
     });
+
+    // cannot assign both privateKey and privateKeyValue
+    test('cannot assign both privateKey and privateKeyValue', () => {
+      // GIVEN
+      const stack = new Stack();
+      const pool = new UserPool(stack, 'userpool');
+
+      expect(() => {
+        new UserPoolIdentityProviderApple(stack, 'userpoolidp', {
+          userPool: pool,
+          clientId: 'com.amzn.cdk',
+          teamId: 'CDKTEAMCDK',
+          keyId: 'XXXXXXXXXX',
+          privateKey: 'PRIV_KEY_CDK',
+          privateKeyValue: SecretValue.secretsManager('dummyId'),
+        });
+      }).toThrow('Exactly one of "privateKey" or "privateKeyValue" must be configured.');
+    });
+
+    // should support privateKeyValue
+    test('should support privateKeyValue', () => {
+      // GIVEN
+      const stack = new Stack();
+      const pool = new UserPool(stack, 'userpool');
+
+      new UserPoolIdentityProviderApple(stack, 'userpoolidp', {
+        userPool: pool,
+        clientId: 'com.amzn.cdk',
+        teamId: 'CDKTEAMCDK',
+        keyId: 'XXXXXXXXXX',
+        privateKeyValue: SecretValue.secretsManager('dummyId'),
+      });
+
+      Template.fromStack(stack).hasResourceProperties('AWS::Cognito::UserPoolIdentityProvider', {
+        ProviderDetails: {
+          private_key: '{{resolve:secretsmanager:dummyId:SecretString:::}}',
+        },
+      });
+    });
   });
 });

From 50911c82cec9db16f8aa1f227d46a1090938a972 Mon Sep 17 00:00:00 2001
From: Pahud Hsieh <pahudnet@gmail.com>
Date: Wed, 11 Sep 2024 17:28:26 +0000
Subject: [PATCH 2/6] lint

---
 packages/aws-cdk-lib/aws-cognito/lib/user-pool-idps/apple.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/packages/aws-cdk-lib/aws-cognito/lib/user-pool-idps/apple.ts b/packages/aws-cdk-lib/aws-cognito/lib/user-pool-idps/apple.ts
index 80a32415de70a..beff259555bc6 100644
--- a/packages/aws-cdk-lib/aws-cognito/lib/user-pool-idps/apple.ts
+++ b/packages/aws-cdk-lib/aws-cognito/lib/user-pool-idps/apple.ts
@@ -23,13 +23,13 @@ export interface UserPoolIdentityProviderAppleProps extends UserPoolIdentityProv
   readonly keyId: string;
   /**
    * The privateKey content for Apple APIs to authenticate the client.
-   * 
+   *
    * @deprecated use privateKeyValue
    */
   readonly privateKey?: string;
   /**
    * The privateKey content for Apple APIs to authenticate the client.
-   * 
+   *
    */
   readonly privateKeyValue?: SecretValue;
   /**

From 25d312b16cfcba649738588ee62246a100f2e668 Mon Sep 17 00:00:00 2001
From: Pahud Hsieh <pahudnet@gmail.com>
Date: Wed, 11 Sep 2024 16:15:14 -0400
Subject: [PATCH 3/6] Update
 packages/aws-cdk-lib/aws-cognito/lib/user-pool-idps/apple.ts

Co-authored-by: GZ <hz351086153@gmail.com>
---
 packages/aws-cdk-lib/aws-cognito/lib/user-pool-idps/apple.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/aws-cdk-lib/aws-cognito/lib/user-pool-idps/apple.ts b/packages/aws-cdk-lib/aws-cognito/lib/user-pool-idps/apple.ts
index beff259555bc6..9c481d32d89bd 100644
--- a/packages/aws-cdk-lib/aws-cognito/lib/user-pool-idps/apple.ts
+++ b/packages/aws-cdk-lib/aws-cognito/lib/user-pool-idps/apple.ts
@@ -52,7 +52,7 @@ export class UserPoolIdentityProviderApple extends UserPoolIdentityProviderBase
 
     const scopes = props.scopes ?? ['name'];
 
-    //at least one of the properties must be configured
+    // Exactly one of the properties must be configured
     if ((!props.privateKey && !props.privateKeyValue) ||
       (props.privateKey && props.privateKeyValue)) {
       throw new Error('Exactly one of "privateKey" or "privateKeyValue" must be configured.');

From 51defa5b306978e836bfd124493ffca38300dc05 Mon Sep 17 00:00:00 2001
From: Pahud Hsieh <pahudnet@gmail.com>
Date: Wed, 11 Sep 2024 20:45:42 +0000
Subject: [PATCH 4/6] lint

---
 packages/aws-cdk-lib/aws-cognito/lib/user-pool-idps/apple.ts | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/packages/aws-cdk-lib/aws-cognito/lib/user-pool-idps/apple.ts b/packages/aws-cdk-lib/aws-cognito/lib/user-pool-idps/apple.ts
index 9c481d32d89bd..caa7c7dc3e82d 100644
--- a/packages/aws-cdk-lib/aws-cognito/lib/user-pool-idps/apple.ts
+++ b/packages/aws-cdk-lib/aws-cognito/lib/user-pool-idps/apple.ts
@@ -25,11 +25,12 @@ export interface UserPoolIdentityProviderAppleProps extends UserPoolIdentityProv
    * The privateKey content for Apple APIs to authenticate the client.
    *
    * @deprecated use privateKeyValue
+   * @default undefined
    */
   readonly privateKey?: string;
   /**
    * The privateKey content for Apple APIs to authenticate the client.
-   *
+   * @default undefined
    */
   readonly privateKeyValue?: SecretValue;
   /**

From f037b7d127cc339aac7c3efa9ee1bb1d633ee471 Mon Sep 17 00:00:00 2001
From: Pahud Hsieh <pahudnet@gmail.com>
Date: Wed, 11 Sep 2024 20:53:22 +0000
Subject: [PATCH 5/6] fix

---
 .../aws-cognito/test/user-pool-idps/apple.test.ts         | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/packages/aws-cdk-lib/aws-cognito/test/user-pool-idps/apple.test.ts b/packages/aws-cdk-lib/aws-cognito/test/user-pool-idps/apple.test.ts
index b10466c09d6fa..a299953d1cc8f 100644
--- a/packages/aws-cdk-lib/aws-cognito/test/user-pool-idps/apple.test.ts
+++ b/packages/aws-cdk-lib/aws-cognito/test/user-pool-idps/apple.test.ts
@@ -90,8 +90,8 @@ describe('UserPoolIdentityProvider', () => {
         keyId: 'CDKKEYCDK1',
         privateKey: 'PRIV_KEY_CDK',
         attributeMapping: {
-          familyName: ProviderAttribute.APPLE_FIRST_NAME,
-          givenName: ProviderAttribute.APPLE_LAST_NAME,
+          familyName: ProviderAttribute.APPLE_LAST_NAME,
+          givenName: ProviderAttribute.APPLE_FIRST_NAME,
           custom: {
             customAttr1: ProviderAttribute.APPLE_EMAIL,
             customAttr2: ProviderAttribute.other('sub'),
@@ -102,8 +102,8 @@ describe('UserPoolIdentityProvider', () => {
       // THEN
       Template.fromStack(stack).hasResourceProperties('AWS::Cognito::UserPoolIdentityProvider', {
         AttributeMapping: {
-          family_name: 'firstName',
-          given_name: 'lastName',
+          family_name: 'lastName',
+          given_name: 'firstName',
           customAttr1: 'email',
           customAttr2: 'sub',
         },

From a66f025f4021c055ab1c78d5cfc7166cc0b14989 Mon Sep 17 00:00:00 2001
From: Pahud Hsieh <pahudnet@gmail.com>
Date: Wed, 11 Sep 2024 21:07:52 +0000
Subject: [PATCH 6/6] lint

---
 packages/aws-cdk-lib/aws-cognito/lib/user-pool-idps/apple.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/packages/aws-cdk-lib/aws-cognito/lib/user-pool-idps/apple.ts b/packages/aws-cdk-lib/aws-cognito/lib/user-pool-idps/apple.ts
index caa7c7dc3e82d..c78bbe6d00484 100644
--- a/packages/aws-cdk-lib/aws-cognito/lib/user-pool-idps/apple.ts
+++ b/packages/aws-cdk-lib/aws-cognito/lib/user-pool-idps/apple.ts
@@ -25,12 +25,12 @@ export interface UserPoolIdentityProviderAppleProps extends UserPoolIdentityProv
    * The privateKey content for Apple APIs to authenticate the client.
    *
    * @deprecated use privateKeyValue
-   * @default undefined
+   * @default none
    */
   readonly privateKey?: string;
   /**
    * The privateKey content for Apple APIs to authenticate the client.
-   * @default undefined
+   * @default none
    */
   readonly privateKeyValue?: SecretValue;
   /**